If you weren't aware, all music purchased online through iTunes, Amazon, and other digital audio providers have information embedded that can be used to identify the buyer and transaction of the digital music file. This may seem like something you should be disclosed about in their terms of use, but it's not.

It's nowhere to be found actually.

So how does it work exactly?

Well, during the process of purchase, your username and transaction ID are given to the retailer you are using. As the song loads for download, software embeds information that carries both the account name and transaction into the music file. After the download, your MP3 then hides away this information deep in its nether regions, never to be seen again...unless you know where to look.

The picture below shows my username (highlighted in blue) engrained in the entrails of an MP3 purchased on iTunes.

So what's so important about a song carrying your username and transaction ID?

While the data can't be exploited by others to purchase more music or hack into your account, it can be used against you—the original purchaser—if your MP3 is somehow leaked onto torrent sites and uploaded by others.

Once a song is released into the wild, record companies can dissect the MP3 and gather the necessary information to press charges against the person who originally purchased the song and allowed it be bounced around on the internet for free downloads.

While the idea is a smart one on the behalf of the record companies, what happens if your MP3 player is stolen and all of your music uploaded online to be downloaded by others? Well let me put it in layman's terms for ya—

You'll get screwed.

Protect Yourself

If you want to prevent this from happening, you can use a utility that could strip the personal information from the file, and thanks to Randy G, iDesiccate (Windows only) does just that.

So far, Randy G has cleaned over 2,000 files without any problems, but states "I can't guarantee that if you have a corrupted file that iDesiccate won't corrupt it further. So back up your files first and run small batches through it."

Once your files run through the program, you should be okay if your files are stolen or purposely released into the wild internet. Without the embedded information, your MP3s should now be squeaky clean!

3 Comments

Yeah, that was always a crazy thing to me. One time I was at this guy's house, and he had an M4A that wouldn't copy/transfer/sync back in iTunes, so being the massive hacker I am, I right clicked and went to "Info" for the file, and sure enough... here's Purchased by "Id E. Ett", iTunes account "id.e.ett@comcast.com" -- yes, I made those up... but my point is that this was a real person and not some intentionally modified "Dick Trickle" user or something. I was like wow, where did you get this. He said a torrent (I'm sure)... and my only thought was: this naive idiot who shared their purchased music on a P2P network! I wondered how long it would be before this guy got his front door kicked in at 4am...

Ignorance. Most criminals know how to hide evidence or handle things so they don't get caught. They know and think about how they could be caught, possibly, then they take measures to prevent that! This is literally like shooting someone and then leaving the gun, complete with fresh fingerprints at the crime scene.

METADATA and the MP4 container format: learn about them! Apple themselves provide very detailed documentation of their proprietary modifications to the standard MP4 ISO standard in the developer's area. There are metadata nodes called ATOMS in these files, and they're not visible in the file tags, they are hidden to almost all apps (unless you view via HEX editor). These "atoms" contain things like your iTunes account name, email address, unique file ID, exact timestamp of purchase, etc... MP3's are usually not as complex, and Amazon, for instance, will include a unique "Amazon ID" that is stored in the standard "comment" tag. But this was an interesting read, as before this, I had only heard of Atomic Parsley. This seems to be a lot easier to get the job done on a folder really fast. Atomic Parsley is old, and not nearly as easy to use, but is for the power user, as you can do nearly anything involving metadata/atoms to a precise degree.

I'd like to see some links to what exactly these fields are, and where they are. I know how to find them (each file is dynamic, and the info can be at different positions in the file, due to things like the possibility of some fields being capable of multiple tags such as artwork, comments, etc...

My only comment on the actual "app" itself is it's distributed in "ClickOnce" deployment format (Visual Studio, .application), and effectively runs "server-side". Why? Why not distribute an app compiled to binary/executable? Seems a bit strange, but then again he could just be somebody doing something new-- as there are advantages to this method of deployment.

Alright, can I have a version of iDesiccate that I can store OFFLINE and install at any time without having to worry about some server somewhere going down or being moved?

I downloaded setup.exe -- but that just downloads idesiccate.application -- so I downloaded idesiccate.application -- but that just tells me it's going out on the internet to download something and won't tell me what.